Web Hosting:
Help Irongeek.com pay for bandwidth and research equipment:

﻿

PHPIDS Installation and Test Page

PHPIDS Installation and Test Page

Since my page is mostly a home grown ghetto PHP CMS, I was interested in seeing
what sort of attacks were being thrown against it. I found a project online
Called PHPIDS, and here are my notes on installing it along with a list of
recent attacks as reported by the IDS.

2. I uploaded everything in the directory lib and below to my web folder.

3. I'm a noob when it comes to MySQL, so I set up a new database in MySQL using
the PHPMyAdmin front end. In the file lib\IDS\Log\Database.php you will find how
the DB has to be set up. What it amounted to for me was just creating the needed
table using the SQL command:

4. By default, the Config.ini file is in \lib\IDS\Config. This is where you need
to set up your database name, password, email address etc. Obviously, you don't
want to leave this someplace where folks can just download it, in my case I
moved it one folder up from the web root where thePHP install could still get to
it (see note about paths in the next section) but a web browser hopefully can
not. I also set mine to ignore some Google cookies by adding this to
the Config.ini:

5. I then created the following stub file (idsstub.php) to initiate the IDS:

<?php
//Set where the relative IDS directory is (IDS parent folder), no
leading or trailing slashes. Change this PATH.
$IDSLoc="lib";
set_include_path(
get_include_path()
.
PATH_SEPARATOR.$IDSLoc.'/'
);
/*
if (!session_id()) {
session_start();
}
*/
//Make sure the line below is set to the right path. Change this
PATH.
require_once$IDSLoc.'/IDS/Init.php';
try {$request=array('REQUEST'=>$_REQUEST,'GET'=>$_GET,'POST'=>$_POST,'COOKIE'=>$_COOKIE,'SERVER'=>$_SERVER["HTTP_HOST"],
//Uncomment the next line if you want to check the user agent, but you
may get a lot of false positives
//'USERAGENT'
=> $_SERVER["HTTP_USER_AGENT"], 'ACCEPT'=>$_SERVER["HTTP_ACCEPT
"]);//By
default, the config is in an insecure place where it can be downloaded,
I moved it one directory up from my root web folder. Change this PATH.$init= IDS_Init::init('/home/.giga/irongeek/Config.ini');$init->config['General']['base_path']= dirname(__FILE__).'/'.$IDSLoc.'/IDS/';$init->config['General']['use_base_path']=true;$init->config['Caching']['caching']='none';$ids=new
IDS_Monitor($request,$init);$result=$ids->run();if(!$result->isEmpty()){//echo
$result?><divstyle="position:fixed;
right:180px; bottom:10px; overflow:visible;"id="clippy"><tablevalign="top"width="130"height="309"border="0"background="http://www.irongeek.com/images/clippy.png"cellpadding="10">
<tr><tdvalign="top"><fontsize="1">&nbsp;Hello, according to <ahref="http://php-ids.org/">PHPIDS</a>
it looks like you are trying to pwn my site.
Would you like <ahref="http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville">some
help with that?</a>
</font></td></tr></table></div><?require_once'IDS/Log/File.php';require_once'IDS/Log/Composite.php';$compositeLog=new
IDS_Log_Composite();$compositeLog->addLogger(IDS_Log_File::getInstance($init));require_once'IDS/Log/Email.php';require_once'IDS/Log/Database.php';$compositeLog->addLogger(
IDS_Log_Email::getInstance($init),
IDS_Log_Database::getInstance($init)
);$compositeLog->execute($result);}else{echo'Alls good, in the hood.';
}
} catch (Exception
$e){
printf('An error occured: %s',$e->getMessage()
);
}
?>

Things you will want to note: There are several places where you will need to
change your path so it knows where the files are. I've noted them in the code
above with the comment "Change this PATH." Setting the right paths is
the biggest pain, and sorry, but I can't help you on your personal install. Also, make sure you point the config
file to wherever you put Config.ini . I've also changed some of the user
submitted data that the IDS checks. Folks can possibly slip in attacks via the
HTTP ACCEPT for USER AGENT header fields. I had to comment out my user agent
check as it caused too many false positive. On mine, I set it to pop up an image
like the following if folks try to attack my site:

It's fun to be a wiseass to attackers. All hail Clippy!!!

6. On every page I wanted to track attacks, I added the following line of PHP:include ("idsstub.php");In my case, I just put it in my footer.

7. That's pretty much it. Check out my log below of the last 2000 detected
attacks, mostly it's folks trying RFI (remote file includes): <Had to take it
down because of CPU load on my shared hosting provider>